Where, pursuant to a Contract between SteamaCo and the Customer, SteamaCo is required to process any personal data on behalf of the Customer as a data processor, this Data Processing Addendum (the Addendum) shall apply to such data processing activities and shall form part of and be incorporated into the Contract.
1. Definitions & Interpretation
1.1. In this Addendum, capitalised terms shall have the meaning set out below:
Approved Processor: shall have the meaning in paragraph 2.7;
Customer Personal Data: any personal data uploaded, inputted, stored, transmitted and/or otherwise communicated to or via the Software and/or otherwise provided to SteamaCo by or on behalf of the Customer in connection with the Contract, including any personal data relating to Consumers;
Data Protection Legislation: all Applicable Law relating to the processing of personal data, privacy, the protection of personal data in electronic communications and direct marketing, including (where applicable) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "GDPR") and any national law which implements the GDPR in the United Kingdom, the Privacy and Electronic Communications (EC Directive) Regulations 2003; and
Data Protocol: a protocol setting out the types of personal data which may be processed by SteamaCo in connection with hosting the Software and otherwise providing the Services, the subject matter and purposes of the processing and the duration of the processing, as set out in the Annex to this Addendum and any further data protocol which is agreed in writing and signed by the parties from time to time (and which shall, once agreed, form part of and be incorporated into this Addendum and the Contract).
1.2. The terms “personal data”, “data controller”, “controller”, “data processor”, “processor”, “process”, “data subject”, “data protection impact assessment”, “third country” and “international organisation” shall each have the applicable meaning set out in the Data Protection Legislation.
1.3. References to paragraphs and the Annex are to paragraphs of and the annex to this Addendum, unless stated otherwise. The Annex forms a part of this Addendum and the Contract.
1.4. The definitions and rules of interpretation set out in the Steamaco General Terms and Conditions shall apply to this Addendum.
2. GENERAL
2.1 This Addendum sets out the basis on which SteamaCo shall process Customer Personal Data as a data processor on behalf of the Customer for the purpose of hosting the Software and providing the Services pursuant to the Contract.
2.2 In addition to the Customer Personal Data which SteamaCo processes on behalf of the Customer, SteamaCo may also process personal data in connection with the Contract in SteamaCo's own capacity as a data controller (where SteamaCo will determine the purposes and means of the processing). The provisions of this Addendum shall not apply to such processing where SteamaCo is the data controller, but SteamaCo shall undertake such processing in accordance with SteamaCo's legal obligations to data subjects under the Data Protection Legislation.
2.3 Each party agrees that in respect of its processing of Customer Personal Data in connection with the licensing of the Software under the Contract and this Addendum, it shall comply with its obligations under the Data Protection Legislation, together with the provisions of this Addendum and any applicable Data Protocol.
2.4 Notwithstanding anything to the contrary in this Addendum, in the event of any conflict between the provisions of this Addendum and the provisions of the remainder of the Contract, the provisions of this Addendum shall take precedence.
3. CUSTOMER'S OBLIGATIONS
3.1 As a data controller, it is the Customer's responsibility to ensure that the Customer is entitled to process and to authorise SteamaCo to process the Customer Personal Data in the manner and for the duration envisaged by this Addendum and the Contract. If at any time the Customer has reason to believe that the processing of any Customer Personal Data under this Addendum is in breach of Data Protection Legislation, the Customer shall immediately notify SteamaCo, together with an explanation of the concern.
3.2 Prior to sharing Customer Personal Data with SteamaCo, the Customer shall:
(a) identify the lawful basis on which the parties can rely under Data Protection Legislation to process such Customer Personal Data. Unless the lawful basis the Customer wishes to rely on is performance of a contract or the data subject's consent, the Customer shall inform SteamaCo of the lawful basis for processing such Customer Personal Data (prior to sharing such personal data with SteamaCo) and if the lawful basis for processing changes, the Customer shall notify SteamaCo as soon as practicable, but in any event no later than 14 days after such change occurs;
(b) provide the following information to Consumers:
"The technology we use to automate your [electricity/utility] consumption is licensed to us and hosted by SteamaCo. SteamaCo will have access to your personal data as a result. Such data will be processed by SteamaCo in accordance with their privacy policy. If you have any queries regarding the use of your personal data, please contact your sales representative or by email at [insert Customer email address]";
together with all other necessary fair processing information required under Data Protection Legislation about the processing of the Customer Personal Data; and
(c) obtain the Consumer's consent to processing their personal data (where the lawful basis the Customer is relying on to process the Customer Personal Data is consent).
3.3 The Customer shall ensure at all times that the Customer's instructions to SteamaCo for the processing of Customer Personal Data under this Addendum comply with Data Protection Legislation and that compliance with such instructions would not cause SteamaCo to breach any Data Protection Legislation.
3.4 The Customer shall be responsible for the provision of the corresponding fair processing information to relevant data subjects and for obtaining any consents that may be required (in each case to the extent necessary in order to comply with Data Protection Legislation) from that data subject. The Customer shall ensure that such fair processing notices are accurate and complete, and that any consents are sufficient in order for SteamaCo to lawfully process the Customer Personal Data in the manner set out in this Addendum.
3.5 If the Customer requires SteamaCo to transfer any Customer Personal Data to a third party provider engaged by the Customer, the Customer shall be solely responsible for identifying the lawful basis under the Data Protection Legislation on which the parties can rely under the Data Protection Legislation to transfer such Customer Personal Data to the relevant third party provider (and the Customer shall notify SteamaCo of the same). A written data processing agreement must be in place between the Customer and such provider. The Customer acknowledges and agrees that SteamaCo has no control over and shall have no liability in respect of how any personal data is processed by such third party provider engaged by the Customer.
4. SUPPLIER'S RESPONSIBILITIES
4.1 In respect of the Customer Personal Data processed by SteamaCo on the Customer's behalf, SteamaCo shall:
(d) only process Customer Personal Data on behalf of the Customer where and to the extent necessary to host the Software and otherwise to perform the Contract and comply with SteamaCo's obligations under Applicable Law in accordance with the terms of this Addendum, any additional applicable Data Protocol, and any additional reasonable instructions the Customer may issue from time to time (provided that such instructions are within the scope of SteamaCo's obligations under this Addendum), unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body;
(e) implement appropriate technical and organisational measures, taking into account the nature and purposes of the processing, for the protection of the security of the Customer Personal Data to protect against unauthorised or unlawful processing of the Customer Personal Data and against accidental loss or destruction of, or damage to, the Customer Personal Data, appropriate to the nature of the personal data to be protected, details of which are available from SteamaCo upon request and which measures the Customer shall have the opportunity to review and assess in accordance with the Customer's own obligations under Data Protection Legislation. SteamaCo reserves the right to revise the technical and organisational measures at any time, without notice, provided that such revisions will not materially reduce the overall security provided for the Customer Personal Data that SteamaCo processes;
(f) ensure that personnel who have access to and/or process the Customer Personal Data are obliged to keep the Customer Personal Data confidential;
(g) not transfer the Customer Personal Data outside of the European Economic Area (EEA) without complying with the provisions of the Data Protection Legislation in respect of such transfer, save that if the Customer requires SteamaCo to transfer any Customer Personal Data outside the EEA pursuant to the Customer's instructions, it shall be the Customer's responsibility to ensure that any such transfer complies with the provisions of the Data Protection Legislation and to notify SteamaCo of any specific instructions or restrictions in respect of the same;
(h) notify the Customer without undue delay if SteamaCo becomes aware of any personal data breach or of any request or objection from a data subject pursuant to the Data Protection Legislation, in each case relating to the Customer Personal Data;
(i) to the extent that the Customer does not have the ability to address a request from a data subject to exercise the data subject’s rights under the Data Protection Legislation (including requests for access to personal data; rectification or erasure of personal data; restrictions of processing personal data; and portability of personal data) (a "Data Subject Request") in respect of SteamaCo's processing of Customer Personal Data, SteamaCo shall, upon the Customer's request and insofar as is reasonably possible, provide commercially reasonable assistance, at the Customer's cost, to facilitate such Data Subject Request;
(j) reasonably assist the Customer, at the Customer's cost, in ensuring compliance with the Customer's obligations under the Data Protection Legislation with respect to consultations with supervisory authorities or regulators;
(k) provide the Customer with reasonable cooperation and assistance, at the Customer's cost, as may be required to fulfil the Customer's obligation under the GDPR to carry out a data protection impact assessment related to the Customer's use of the Software, to the extent that the Customer does not otherwise have access to the relevant information and to the extent that such information is available to SteamaCo;
(l) inform the Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by SteamaCo in connection with this Addendum;
(m) maintain records and information regarding SteamaCo's processing activities in respect of the Customer Personal Data to demonstrate SteamaCo's compliance with this Addendum;
(n) allow for audits by the Customer or the Customer's designated auditor of SteamaCo's systems and procedures relevant to the processing of Customer Personal Data, provided that in the case of any audit, SteamaCo shall:
(i) comply with any reasonable requirements or security restrictions that SteamaCo may impose to safeguard SteamaCo's systems, personal data SteamaCo holds on behalf of other clients and SteamaCo's own confidential or commercially sensitive information and to avoid unreasonable disruption to SteamaCo's business and operations;
(ii) reimburse SteamaCo for any time expended by SteamaCo for any such audit, at SteamaCo's then current professional services rates, which shall be made available to the Customer upon request, which costs shall be reasonable, taking into account the resources expended by SteamaCo; and
(iii) before the commencement of any audit, the parties shall mutually agree on the scope, timing, and duration of the audit.
5. SUB-PROCESSORS
5.1 SteamaCo may use the following types of processors who may process Customer Personal Data in connection with hosting the Software:
· Providers of cloud computation and storage resources;
· Telecommunications networks, gateways, APIs and / or mobile money services;
· Providers of hosted software;
· Data centres;
· Providers of penetration testing services.
details of which are available to the Customer upon request. SteamaCo may update the list of its processors from time to time. The Customer acknowledges that such information is confidential.
5.2 The Customer hereby consents to SteamaCo appointing the processors set out in clause 5.1 above as processors of the Customer Personal Data under this Addendum. SteamaCo shall have in place a written contract with such processors in respect of such processing of the Customer Personal Data.
5.3 SteamaCo shall inform the Customer of any intended changes or replacements to any such processors or any additional processors. Within a period of 30 days of the date of notification of such changes, the Customer may object to any such changes on reasonable grounds, in which event either party shall have the right to terminate this Addendum on giving the other party 30 days' written notice, without liability to the other party. If the Customer has not objected to any such changes within a period of 30 days of the date of the notification of the changes, the Customer shall be deemed to have accepted such changes.
ANNEX
Data Protocol
This Annex sets out the basis on which SteamaCo processes Customer Personal Data.
Subject matter and purpose of processing
SteamaCo shall process the Customer Personal Data for the purpose of monitoring the usage of Utilities by the Customer's Consumers on the Customer's behalf, hosting the Software and otherwise providing the Services as outlined in this Addendum and the Contract.
Types of personal data to be processed and categories of data subject
The data subjects to whom the Customer Personal Data relates will be primarily individual Consumers who the Customer supplies Utilities to (or is about to supply Utilities to).
The types of Customer Personal Data which SteamaCo may process when hosting the Software will include:
· Consumer name;
· Mobile phone number;
· Address;
· Utilities usage;
· Payment records (but not including payment method details, such as credit card numbers);
· Such other personal data as may be collected by the Customer from the Consumer and provided to SteamaCo from time to time or which is otherwise uploaded, inputted, stored, transmitted and/or otherwise communicated to or via the Software.
Duration of the processing
SteamaCo shall not process the Customer Personal Data on behalf of the Customer for any longer than is required for the purposes of hosting the Software. Following termination of the Software licence, SteamaCo shall cease processing and delete all Customer Personal Data, save to the extent: (a) required by Applicable Law; (b) as a result of SteamaCo's automatic archiving and backup procedures; and/or (c) to comply with bona fide internal compliance and audit policies and procedures. SteamaCo shall not be liable to the Customer for any such deletion of the Customer Personal Data.